Secure Your Development Process - Or Face the Growing Risks to Software
October 18, 2022

Tomislav Pericin
ReversingLabs

During the past year-and-a-half, the US federal government developed a canon of guidance that addresses software supply chain security. It began with the Biden Administration's Executive Order 14028 on Improving the Nation's Cybersecurity, followed by the National Institute of Standards and Technology (NIST) publishing the first version of their Secure Software Development Framework. And most recently, the White House's memorandum (PDF) on behalf of the Office of Management and Budget (OMB) that mandates the federal use of secure third-party software.


Needless to say, the federal government has been quite busy building its case that both the private and public sectors need to address software supply chain risk head-on. However, all of the mentioned motions above, while essential to software security, do not directly address the private sector. For the many software organizations out there that do not work directly with the federal government, what can serve as their source of truth for software supply chain security?

Well, a recent report titled Securing the Software Supply Chain may be what software organizations are looking for.

The Report: Software Security's "Compendium"

This report, tagged as a "recommended practices guide for developers," was written by the federal government's Enduring Security Framework (ESF) Software Supply Chain Working Panel. The ESF has representation from government agencies, specifically the Cybersecurity and Infrastructure Agency (CISA), the National Security Agency (NSA), and the Office for the Director of National Intelligence (ODNI). It also has experts from the IT, Communications and Defense Industrial Base sectors, making the working group representative of public-private partnership.

The guidance is meant to serve as a "compendium of suggested practices for developers, suppliers, and customer stakeholders to help ensure a more secure software supply chain." It's split into 3 parts, with each part addressing either developers, suppliers, and customer stakeholders, who all have a stake in securing software supply chains.

The report consists of several key points that should help software organizations get on the right track when it comes to software security.

First, it paints an accurate picture of the problem at large, which is that there are a number of active risks to the software supply chain. It goes beyond the infamous SolarWinds incident of December 2020 to include other possible risks like software tampering, attackers abusing open source repositories, and malicious binaries.

Second, the report serves as a true "compendium." ReversingLabs Cyber Content Lead Paul Roberts noted that this report can be characterized as a Rosetta Stone for software supply chain security. The ESF pulls together both private and public sector documents that advise on software security, making it easier for software organizations to familiarize themselves with standard practices for ensuring proper software security health.

Third, the ESF's guidance makes helpful recommendations for securing software supply chains. For example, the report emphasizes the use of software composition analysis (SCA) tools, given that the risk of malicious binaries is often overlooked. It also focuses on software bills of materials (SBOMs) as being a necessary tool to understand what kinds of components a software product includes, such as open source and third-party components. Additionally, it recommends that software organizations conduct automated static and dynamic testing of newly checked-in code, allowing them to look for vulnerabilities.

While it's clear that the ESF report is a momentous step forward for secure software, there is still a hurdle to overcome: software organizations that do not do business with the federal government, as well as federal development teams and contractors, are not mandated to follow these guidelines. Instead, these organizations must incentivize themselves to do the heavy-lifting.

Thinking Beyond SolarWinds

While SolarWinds serves as the catalyst for the software security movement, it is not the only incident that demonstrates the magnitude of this problem. It has been almost 2 years since SolarWinds, and within this span of time, more attacks and new risks to the software supply chain have been discovered. Additionally, we have learned a great deal about where the industry stands when it comes to securing software.

For example, a ReversingLabs commissioned study, conducted by Dimensional Research, found that a majority of software organizations in 2022 are not equipped to handle software supply chain risks. Out of 300 respondents, roughly half of them reported that their organizations cannot protect their software against third-party risks when using open source, commercial solutions, and partner software. Also, only 37% of respondents confirmed that they have a way of detecting software tampering across their supply chain, and very few (7%) check for tampering in every development stage.

As the software industry struggles to follow secure software practices, the risks and attack possibilities to the software supply chain continue to grow. Attacks on popular open source repositories like npm and PyPI have skyrocketed by 289% over the past 4 years.

That growth is evident in recently discovered software supply chain attacks that abuse these public repositories, such as the IconBurst supply chain attack, as well as additional attacks on both npm and PyPI.

Despite the vast attack possibilities on open source repositories, this problem is just one risk to the software supply chain. The ESF report calls out a number of areas in addition to open source risk that software organizations need to pay attention to when securing their development processes.

For example, the ESF guidance notes that modern Integrated Development Environments (IDEs) are extensible with third party plug-ins, creating the possibility that malicious IDE plug-ins may compromise the local development environment. Such tools and third party plug-ins should be scanned for vulnerabilities and evidence of tampering before being added to developer machines, the ESF report argues.

Software Suppliers: Get Ahead While You Still Can

There are fair criticisms of the ESF report, such as it not being practical enough for developers to follow. However, given the wealth of content, resources, and action steps this report provides, it is clear that the document serves as a good starting point for organizations looking to secure their software development practices.

It is also likely that these same organizations do not want to become the next SolarWinds. This is why they need to implement robust software security policies that will aid their organization's ability to prevent these kinds of incidents. This is why, despite its flaws, the ESF report is a big step in the right direction.

Tomislav Pericin is Chief Software Architect at ReversingLabs
Share this

Industry News

March 20, 2023

To meet the growing demand for Oracle Container Engine for Kubernetes (OKE) with global organizations, Oracle Cloud Infrastructure (OCI) is introducing new capabilities that can boost the reliability and efficiency of large-scale Kubernetes environments while simplifying operations and reducing costs.

March 20, 2023

Perforce Software joined the Amazon Web Services (AWS) Independent Software Vendor (ISV) Accelerate Program and listed its free Enhanced Studio Pack (ESP) in AWS Marketplace.

March 20, 2023

Aembit, an identity platform that lets DevOps and Security teams discover, manage, enforce, and audit access between federated workloads, announced its official launch alongside $16.6M in seed financing from cybersecurity specialist investors Ballistic Ventures and Ten Eleven Ventures.

March 16, 2023

Hyland released Alfresco Content Services 7.0 – a cloud-native content services platform, optimized for content model flexibility and performance at scale.

March 16, 2023

CAST AI has announced the closing of a $20M investment round.

March 15, 2023

Check Point® Software Technologies introduced Infinity Global Services, an all-encompassing security solution that will empower organizations of all sizes to fortify their systems, from cloud to network to endpoint.

March 15, 2023

OpsCruise's Kubernetes and Cloud Service observability platform is certified to run on the Red Hat OpenShift Kubernetes platform.

March 14, 2023

DataOps.live released an update to the DataOps.live platform, delivering productivity for data teams.

March 14, 2023

CoreStack and Zensar announced a strategic global partnership. CoreStack will provide its AI-powered NextGen cloud governance and FinOps capabilities, complementing Zensar’s composable cloud operations offering.

March 14, 2023

Delinea introduced the Delinea Platform, a cloud-native foundation for Delinea's PAM solutions that empowers end-to-end visibility, dynamic privilege controls, and adaptive security.

March 13, 2023

Sysdig announced a new foundation that will serve as the long-term custodian of the Wireshark open source project.

March 13, 2023

Talend announced the latest update to Talend Data Fabric, its end-to-end platform for data discovery, transformation, governance, and sharing.

March 13, 2023

Descope has raised $53M in seed funding and emerged from stealth to launch a frictionless, secure, and developer-friendly authentication and user management platform.

March 09, 2023

Loft Labs announced Loft v3 with new capabilities and flexibility for platform teams to build and enable their development teams with a self-service Kubernetes.

March 09, 2023

AWS Application Composer is now generally available.